Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  regexp match error match time limit

    Posted 08-05-2020 11:43
    Hello,
    I encountered a problem: /var/log/messages has a lot of "regexp match error match time limit" error messages, and the gateway' CPU usage is very high, but the processed traffic is very small. How should I do ?

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Shoulin Yan
    Hope
    beijing CAM
    ------------------------------


  • 2.  RE: regexp match error match time limit

    Posted 08-05-2020 13:43
    @Shoulin YanThat's a difficult question to answer without divulging information that someone can leverage to bypass inspection.  I recommend they open a support ticket. ​You can login here

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: regexp match error match time limit

    Posted 08-06-2020 01:08
    Hi Shoulin,

    Also you can check if recently new policies have been applied that could have caused this.
    The CPU can be high since the processed traffic has extremely large parameters.
    You can create an exception to the policy to ignore extremely large parameters to see if it solves the issue.
    But then you should find the problem and delete the exception.
    Best,

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 4.  RE: regexp match error match time limit

    Posted 08-08-2020 10:05
    Hi lra,
    Thank you for your reply, there is no new strategy application recently.
    After investigation, I found that the HTTP request parameters of several URLs are too long. I guess that the HTTP request parameters may be too long to match the "Recommended signatures Policy for Web Applications" or "Web Correlation Policy", which has timed out, resulting in high CPU usage.

    ------------------------------
    Shoulin Yan
    Hope
    beijing CAM
    ------------------------------



  • 5.  RE: regexp match error match time limit

    Posted 08-08-2020 09:51
    Edited by Shoulin Yan 08-08-2020 09:56
    Ok, Thank you!
    Original Message:
    Sent: 08-05-2020 13:42
    From: Christopher Detzel
    Subject: regexp match error match time limit

    @Shoulin YanThat's a difficult question to answer without divulging information that someone can leverage to bypass inspection.  I recommend they open a support ticket. ​You can login here

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva



  • 6.  RE: regexp match error match time limit

    Posted 08-06-2020 16:27
    ¯\_(ツ)_/¯ Quote the answer from the case I once opened,
    The regex timeout happens when the policies uses those signature and there are high amount of traffic using those policies.​


    ------------------------------
    Wenlong Wang
    Beijing Yiyi Information Technology Co., Ltd.
    Beijing
    ------------------------------



  • 7.  RE: regexp match error match time limit

    Posted 08-08-2020 10:12
    Hi Wenlong,
    Thank you for your reply. I think it should not be because of the high traffic, but because the request parameters are too long, which leads to timeouts when matching many signature codes. Would it be convenient for you to share the complete record of CASE?

    ------------------------------
    Shoulin Yan
    Hope
    beijing CAM
    ------------------------------